For Password policies, each point where an entry is permitted to change their password, should be able to enforce the password policy.

When performing Consistent Sign On this implies that the point at which the password is changed should be able to enforce the same password policy that is used for the entire organization. Typically, we have found it is best to limit the Policy Decision Points (PDP) to as few as possible as each PDP may interprut the policy slightly different or you may have to duplicate the policy within another system.

The concept of Policy Enforcement Point (also known as Access Control Enforcement Function) is where a policy decision is used to grant or deny access to a protected resource. A Policy Enforcement Point typically exists within an application or resource.

"Policy Enforcement Point", is the logical entity or place on a server that enforces policies for admission control and policy decisions in response to a request from a user wanting to access a resource on a computer or network server.

PEP is a component of policy-based management. When a user tries to access a file or other resource on a computer network or server that uses policy-based access management, the PEP will describe the user's attributes to other entities on the system. The PEP will give the Policy Decision Point (PDP) the job of deciding whether or not to authorize the user based on the description of the entity's attributes. Applicable policies are stored on the system and are analyzed by the PDP|DefinitionPolicyDecisionPoint]. The PDP|DefinitionPolicyDecisionPoint] makes it's decision and returns the decision. The PEP will let the entity know whether or not he has been authorized to access the requested resource.